Bug 2311154 (CVE-2024-43800)

Summary: CVE-2024-43800 serve-static: Improper Sanitization in serve-static
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aarif, aazores, adudiak, adupliak, akostadi, amasferr, amctagga, anjoseph, anli, anpicker, aprice, asoldano, bbaranow, bdettelb, bmaxwell, brian.stansberry, brking, caswilli, cbartlet, cdaley, cdewolf, chazlett, cmiranda, danken, darran.lofthouse, dbosanac, dhanak, dholler, dkreling, dkuc, dmayorov, doconnor, dosoudil, dsimansk, dymurray, eaguilar, ebaron, ecerquei, eric.wittmann, fdeutsch, fjansen, fjuma, gkamathe, gmalinko, gotiwari, gparvin, gtanzill, haoli, hasun, hkataria, ibek, ibolton, istudens, ivassile, iweiss, janstey, jcammara, jcantril, jchui, jkang, jkoehler, jlledo, jmatthew, jmitchel, jmontleo, jneedle, jowilson, jpallich, jprabhak, jreimann, jrokos, jsamir, jwendell, jwong, kaycoth, kingland, kshier, ktsao, kverlaen, lbainbri, lgao, mabashia, matzew, mdessi, mjaros, mkleinhe, mkudlej, mmakovy, mnovotny, mosmerov, mpierce, mrizzi, msochure, msvehla, mulliken, mvyas, mwringe, nboldt, nipatil, njean, nwallace, nyancey, omaciel, ometelka, oramraz, owatkins, pahickey, pantinor, parichar, pbraun, pcattana, pcongius, pdelbell, pgaikwad, phoracek, pierdipi, pjindal, pmackay, ptisnovs, rcernich, rguimara, rhaigner, rhuss, rjohnson, rkubis, rstancel, rstepani, rtaniwa, saroy, sdawley, sfroberg, simaishi, slucidi, smaestri, smcdonal, smullick, sseago, stcannon, stirabos, syedriko, tasato, teagle, tfister, thavo, tjochec, tkral, tom.jenkinson, twalsh, wtam, wzheng, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in serve-static. This issue may allow the execution of untrusted code via passing sanitized yet untrusted user input to redirect().
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2311498, 2311499, 2311502, 2311510, 2311522, 2311480, 2311481, 2311482, 2311483, 2311484, 2311485, 2311486, 2311487, 2311488, 2311489, 2311490, 2311491, 2311492, 2311493, 2311494, 2311495, 2311496, 2311500, 2311501, 2311503, 2311504, 2311505, 2311506, 2311507, 2311508, 2311509, 2311511, 2311512, 2311513, 2311514, 2311515, 2311516, 2311517, 2311518, 2311519, 2311520, 2311521    
Bug Blocks:    

Description OSIDB Bzimport 2024-09-10 15:30:58 UTC 
serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.
Comment 1 errata-xmlrpc 2024-10-07 09:22:45 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.4 for RHEL 8

Via RHSA-2024:7724 https://access.redhat.com/errata/RHSA-2024:7724
Comment 2 errata-xmlrpc 2024-10-07 09:25:13 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.6 for RHEL 8
  Red Hat OpenShift Service Mesh 2.6 for RHEL 9

Via RHSA-2024:7726 https://access.redhat.com/errata/RHSA-2024:7726
Comment 3 errata-xmlrpc 2024-10-07 09:25:55 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.5 for RHEL 8

Via RHSA-2024:7725 https://access.redhat.com/errata/RHSA-2024:7725
Comment 4 errata-xmlrpc 2024-10-14 01:00:38 UTC 
This issue has been addressed in the following products:

  RHOSS-1.34-RHEL-8

Via RHSA-2024:8023 https://access.redhat.com/errata/RHSA-2024:8023
Comment 5 errata-xmlrpc 2024-10-22 01:06:51 UTC 
This issue has been addressed in the following products:

  NETWORK-OBSERVABILITY-1.7.0-RHEL-9

Via RHSA-2024:8014 https://access.redhat.com/errata/RHSA-2024:8014
Comment 6 errata-xmlrpc 2024-10-30 14:34:07 UTC 
This issue has been addressed in the following products:

  RHODF-4.17-RHEL-9

Via RHSA-2024:8676 https://access.redhat.com/errata/RHSA-2024:8676
Comment 7 errata-xmlrpc 2024-12-10 01:37:31 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.8

Via RHSA-2024:10906 https://access.redhat.com/errata/RHSA-2024:10906
Comment 8 errata-xmlrpc 2024-12-12 20:00:56 UTC 
This issue has been addressed in the following products:

  HawtIO 4.0.0 for Red Hat build of Apache Camel 4

Via RHSA-2024:11023 https://access.redhat.com/errata/RHSA-2024:11023
Comment 9 errata-xmlrpc 2025-01-08 10:04:08 UTC 
This issue has been addressed in the following products:

  RHODF-4.17-RHEL-9

Via RHSA-2025:0079 https://access.redhat.com/errata/RHSA-2025:0079
Comment 10 errata-xmlrpc 2025-01-08 11:31:51 UTC 
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2025:0082 https://access.redhat.com/errata/RHSA-2025:0082
Comment 11 errata-xmlrpc 2025-01-09 11:28:35 UTC 
This issue has been addressed in the following products:

  RHODF-4.15-RHEL-9

Via RHSA-2025:0164 https://access.redhat.com/errata/RHSA-2025:0164
Comment 12 errata-xmlrpc 2025-01-15 01:19:42 UTC 
This issue has been addressed in the following products:

  RHODF-4.14-RHEL-9

Via RHSA-2025:0323 https://access.redhat.com/errata/RHSA-2025:0323
Comment 14 errata-xmlrpc 2025-02-05 10:49:16 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:0875 https://access.redhat.com/errata/RHSA-2025:0875